The tactics of human-operated ransomware campaigns continue to escalate. Victims who previously feared having their their systems disrupted, their files encrypted and their data stolen and published online may now face another ultimatum: Pay up or have your data auctioned off to the highest bidder.
That’s the latest threat from the Sodinokibi/REvil gang, which announced the launch of its own auction website via its own blog site. Reportedly, the group debuted its new service by offering up files stolen from a Canadian agriculture company that has not paid its ransom demand. The starting price for three stolen databases and 22,000-plus files: $50,000 in Monero cryptocurrency. Another news report identified a second victim as a food and harvest distributor with more than 10,000 stolen files up for auction.
The group also has reportedly floated the idea of selling files on veteran pop star Madonna that were digitally lifted from entertainment law firm Grubman Shire Meiselas & Sacks. Last month, files related to the firm’s celebrity clients were posted on a dark web site by the REvil attackers, who have demanded a $42 million ransom payment in that case to prevent further postings and to rescue encrypted files.
Auctioning off stolen data creates another potential avenue for monetization while also ratcheting up pressure on victims to pay or at least negotiate.
“The auctions may be less about directly creating revenue than they are about upping the ante for future victims,” said Brett Callow, threat analyst at Emsisoft, in an email interview with SC Media. “Having their data published on an obscure .onion site is bad enough, but the prospect of it being auctioned and sold to competitors or other criminal enterprises may chill companies to the bone and provide them with an additional incentive to meet the criminals’ demands.”
“At its core, this scheme is almost certainly seen by the REvil actors as a means of generating additional revenue,” said Jeremy Kennelly, manager, analysis, at Mandiant Threat Intelligence, part of FireEye. “It is very commonplace for threat actors to put data or network access up for auction on underground forums, and this particular scheme is likely a variation of that same trend.”
“The REvil operators may also see this as an alternative mechanism to get paid by impacted organizations who may bid in a public auction to protect the confidentiality of their data,” Kennelly continued. “However, involvement in these auctions may not be in the best interests of impacted organizations who have otherwise refused to pay a ransom, as their involvement could be identified and publicly revealed by the REvil operators, the consequences of which may be difficult to predict.”
Marcus Carey, enterprise architect at ReliaQuest, said he thinks there will be a market for auctioned information and files. “Governments and even cybersecurity vendors would be tempted to buy this data,” he said in emailed comments. “Right now governments and cybersecurity companies pay full-time employees to lurk the dark web for this type of data. From a pure financial perspective it may be cheaper to just buy from these criminals. Companies already buy exploits from the dark web for cybersecurity product research and threat intelligence all the time.”
Callow believes it’s logical that other ransomware attackers will follow REvil’s lead.
“REvil’s launch of [an] online auction was, in many ways, a logical and inevitable progression as ransomware groups constantly seek out new ways to monetize attacks and apply additional pressure to companies,” Callow said. “In the same way that other ransomware groups adopted [the Maze ransomware group’s] encrypt-and-exfiltrate strategy, it’s almost inevitable that other groups will also adopt REvil’s encrypt-exfiltrate-and-auction strategy.”
“The effectiveness of this scheme will only prove itself in time,” said Kennelly. “Actors must weigh the direct financial gain from the auction against the reduced leverage they have against victims who know that their data is less likely to be made public. It is likely that other ransomware operators will follow suit if this strategy proves effective, though it is difficult to predict whether this scheme will become ubiquitous.”
In another troubling development, certain ransomware actors have also adopted a strength-in-numbers strategy — reportedly forming a cartel composed of multiple cybercrime groups collaborating together.
Citing the cyber intelligence firm KeLa, BleepingComputer has reported that the aforementioned Maze gang used its own data leak website to publish a victimized architectural firm’s files, even though the files were actually stolen by a second ransomware group, LockBit. The reason: Maze has entered into a working relationship with LockBit — the financial terms of which Maze has not revealed.
Maze reportedly said they expect to join forces with a third ransomware operation in the near future.
“…[T]hey use not only our platform to post the data of companies, but also our experience and reputation, building the beneficial and solid future. We treat other groups as our partners, not as our competitors. Organizational questions is behind every successful business,” Maze reportedly told BleepingComputer.